(Link to video)
Submission Text Full Submission Page Publication Page
Bowser left a back door open into the Princess' chamber, letting Mario rescue her 7 minutes and 30 seconds faster. This run uses a glitched pipe entry in 7-1 to go out of bounds, where a glitched tile and enemy x-positions are used to execute arbitrary code that jumps straight to the Princess rescue.
Enable subtitles on the encode if you want some explanation as the movie plays.

Lord Tom's Comments

Tompa and I had been working pretty steadily on a 100% run when RAT926 found the glitch. I wasn't good enough with assembly to try to do anything with it until HHS figured out a way to use it to reach the credits. The prospect of cutting 7 minutes off the any% was too much to pass up, so here we are!
It was a challenge to understand the spawning/despawning behavior and translate that into strats that would both be fast and gives us the memory values we needed. But my biggest surprise was how hard it was to optimize Mario's movements with the tail on a vertical level like 7-1...we re-did various portions countless times for frame savings big and small.
Along the way I was happy to work with Producks on strats that might be possible realtime, a feat at least 3 speed-runners have accomplished, with the fastest time currently 3:31 with room for improvement.
My personal preference would be that this run not obsolete the prior any%, with a new category created whichever labels are chosen. I know there's active discussion presently on how to handle this sort of glitched run, so here's some more fodder for discussion. :)

Tompa's Comments

I had tried to improve the previous run for a long time, just to see if we could push it lower. Thanks to Glitchman, 9 of the 14 needed frames for the first world were improved. And with a few extra frames by Tom and I, we reached 13. I gave up for the moment. Until this glitch came around!
I expected us to be done fairly quickly, for an April 1st submission, though we kept pushing it. When you are just one frame to bypass another frame rule, we just got to go for it.
I'm quite happy with the result. Meaning it's finally time to get back to the 100% TAS and work on fun autoscrollers again...

World 1

Not much is new here. GlitchMan found a faster way to collect the mushroom in 1-1. We managed to save a few more frames in the fortress using less slowdown to get past the balls.

7-1

Recent warpless TAS's have gone through the wall to skip most of 7-1 so TAS'ing the vertical portion was pretty new. Having the racoon suit left over from 1-F is helpful since the tail-flip lets Mario grab shells very quickly and Mario can also tail-flip shells on the same frame he stomps them to climb faster. Wall jumps are also crucial to climbing without needing either P-speed or entering extra tubes (which are very slow).

Wrong-warping SMB3

Touching the glitch tile, an invisible note block, makes the processor try to update memory outside of the normal tile data, at an address ($9c70) that reprograms how the processor interprets addresses. This causes execution to jump to an unintended area of the ROM and execute incorrect instructions. Eventually, the stack overflows and it starts executing RAM instructions starting at address $0081, which is just before the location of the player x value at $0090 and enemy x values $0091-5.
Devising an effective strat requires understanding how enemies spawn into the five enemy slots. New enemies spawn when the screen scrolls close enough to their spawn position, and that enemy has not previously been killed. The new enemy will be placed into the first slot that doesn't already hold an active enemy, starting at $0095 and working backwards.
To jump to the Princess, we need 3 consecutive x values to read, in order: 32, 225 or 227, 143. This results in the assembly instruction "JSR $8FE1", which reads as "Jump to the subroutine at address $8FE1."
Mario's x must be 232-240 to activate the glitch, so 3 enemies must be used. The leftmost piranha plant's x range includes 32; the other 2 plants aren't useful so 225/227 and 143 have to come from koopas.
The piranha plant unavoidably spawns into $0094 at the start of the level, but we need it at $0093 or lower to have 2 enemy slots follow it. Therefore we have to climb at least until the piranha despawns. But doing so (bringing the first koopa along to keep $0095 occupied) spawns the koopa between the ?'s into $0094 and the flying koopa into $0093. Initial efforts killed the flying koopa to allow the piranha to spawn into $0093 on the way down. Later, we found that by optimizing a 4-frame despawn rule and grabbing the ?'s koopa and falling very quickly we could despawn the flying koopa just before the piranha spawns, putting the piranha into the correct slot. Note also that the right-most piranha must be killed on the way up or it will spawn into $0093 on the way back down.
Mario can only carry one shell at time. So to grab the ?'s shell, we need to throw the $0095 shell such that it doesn't despawn and also ends up where we can grab it again. There's not much margin for this, but it's just possible to throw the shell so it ends up spinning between the middle pipes down below. This lets Mario grab it after throwing the $0094 shell without breaking stride.
As we fall from the ?'s area, we now have the left piranha plant in $0093, the ?'s shell in $0094, and the first shell from the level entry in $0095. All that remains is to throw the two shells such that they hit the right x values on the same (single) frame the plant's x value hits 32...and then execute the pipe glitch on that same frame.

The Pipe Glitch

This glitch has been known for some time. If Mario presses down while being ejected from the right side of a pipe end-cap, the game thinks he's standing in the middle and lets Mario enter the pipe.

Thanks

RAT926 for discovering the glitch tile that enables the wrong warp.
HHS for figuring out the technical details of the glitch, determining the instruction that would skip to the ending, and writing a script to troubleshoot sprite placement.
vgmaps.com for making TAS'ing so much easier.
Noxxa: Judging.
Noxxa: Great to see another big title broken with arbitrary code execution to jump to the ending. Accepting to Moons as a separate branch - this run will not obsolete the classic conventionally played run category.
Ilari: Processing.
Ilari: Replaced file with one with author subtitles. No changes to input.

Show more

Hide
1 2 3
Posted: 4/25/2014 3:15 AM
Quote
yep2yel
Reviewer, Player (181)
Joined: 3/2/2014
Posts: 71
Location: Colorado, USA
*ALL HAIL TO THE MIGHTY LORD TOMPA* I. Fucking. Love. Memory corruption. So much yes.
No game is perfect, Everything can be broken. - Whoever was on the couch with dwangoAC and Weatherton at AGDQ 2014.
Posted: 4/25/2014 5:15 AM
Quote
True
Editor, Player (68)
Joined: 1/18/2008
Posts: 663
just the video nobody was waiting for Link to video
true on twitch - lsnes windows builds 20230425 - the date this site is buried
Posted: 4/25/2014 5:26 AM
Quote
Chamale
He/Him
Player (178)
Joined: 10/20/2006
Posts: 1352
Location: Canada
Voting yes. I think it's time to make a big improvement to the Super Mario quad run.
Posted: 4/25/2014 8:48 AM
Quote
Tompa
Any
Editor, Expert player (2142)
Joined: 8/15/2005
Posts: 1934
Location: Mullsjö, Sweden
NES TAS of 2018 SNES TASer of 2017 SNES TAS of 2017 NES TAS of 2014 GBA TASer of 2011 GBA TAS of 2011 SNES TASer of 2010
True: Very nice! And it seems like the card flowers are still visible in that version. So them disappearing in the TAS is actually an emulator bug then. Edit: And in the Nicovideo version, they are also visible http://www.nicovideo.jp/watch/sm23404906. I'm quite confused... Edit2: Alright. It seems to be a bug in the PRG0 version, fixed in PRG1. Case solved, lol.
Posted: 4/25/2014 10:47 AM
Quote
got4n
Experienced player (703)
Joined: 2/5/2011
Posts: 1417
Location: France
TAS of 2017 First edition TAS of 2017 PSX TAS of 2017 Rookie of 2013
dem.... such glitch. yes vote.
Current: Rayman 3 maybe? idk xD Paused: N64 Rayman 2 (with Funnyhair) GBA SMA 4 : E Reader (With TehSeven) TASVideos is like a quicksand, you get in, but you cannot quit the sand
Posted: 4/25/2014 11:01 AM
Quote
thatguy
Editor
Joined: 11/3/2013
Posts: 506
So what, if I read the notes right, this trick is possible in real time? How on earth are real-time runners meant to manipulate the enemy positions to execute the code?
Posted: 4/25/2014 11:01 AM
Quote
Tompa
Any
Editor, Expert player (2142)
Joined: 8/15/2005
Posts: 1934
Location: Mullsjö, Sweden
NES TAS of 2018 SNES TASer of 2017 SNES TAS of 2017 NES TAS of 2014 GBA TASer of 2011 GBA TAS of 2011 SNES TASer of 2010
Real time runners have a different setup for this. Here is the current record: http://www.twitch.tv/maggara1/c/4093224
Posted: 4/25/2014 11:10 AM
Quote
Mitjitsu
He/Him
Banned User, Experienced player (532)
Joined: 4/24/2006
Posts: 2997
TAS of 2007 N64 TAS of 2007
Posted: 4/25/2014 3:00 PM
Quote
Soig
He/Him
Skilled player (1478)
Joined: 12/4/2010
Posts: 252
DS TASer of 2018
mmm... Will this replace normal smb3's record? I don't think these are the same. After all, there are good story in normal version.
Posted: 4/25/2014 4:52 PM
Quote
coconou
Joined: 11/21/2012
Posts: 53
Location: France
You kick the game :D it's too amazing, i vote yes.
"Si le mal existe en ce monde, il se cache dans le cœur des hommes." "If there is evil in this world, it lurks in the hearts of man." Edward D. Morrison - Tales of Phantasia
Posted: 4/25/2014 10:06 PM
Quote
Zowayix
Joined: 12/29/2007
Posts: 489
Could someone explain again how the PC jumps to the invalid location in the first place? I know I've asked this before, but earlier I had the impression that it was something like "when Mario touches the note block, the game has to draw the correct 'note block bounce' sprite to the map, which means writing a value to map data, but said map data is invalid so the game writes to an exploitable unrelated place". But apparently that's not what's happening; it's the PC that's made to jump incorrectly to the x-coordinates (which spell out another jump). How does that happen?
Posted: 4/26/2014 12:00 AM
Quote
Patashu
He/Him
Joined: 10/2/2005
Posts: 4017
Zowayix wrote:
Could someone explain again how the PC jumps to the invalid location in the first place? I know I've asked this before, but earlier I had the impression that it was something like "when Mario touches the note block, the game has to draw the correct 'note block bounce' sprite to the map, which means writing a value to map data, but said map data is invalid so the game writes to an exploitable unrelated place". But apparently that's not what's happening; it's the PC that's made to jump incorrectly to the x-coordinates (which spell out another jump). How does that happen?
I think the idea is that the note block's code is meant to be in RAM, so it looks in RAM for the note block code, and finds 'go to the princess' instead.
My Chiptune music, made in Famitracker: http://soundcloud.com/patashu My twitch. I stream mostly shmups & rhythm games http://twitch.tv/patashu My youtube, again shmups and rhythm games and misc stuff: http://youtube.com/user/patashu
Posted: 4/26/2014 1:35 AM
Quote
Lord_Tom
He/Him
Expert player (3274)
Joined: 5/25/2007
Posts: 399
Location: New England
NES TAS of 2018 NES TASer of 2016 NES TAS of 2016 Funny TAS of 2016 Glitchy TAS of 2016 NES TAS of 2014 TASer of 2009 NES TASer of 2009
From what I understand, anyone more knowledgeable please correct: 1. Tile is encountered outside of valid area, CPU attempts to handle 2. Based on incorrect tile data, MMC3 register is configured incorrectly. This register's function is to map 16-bit addresses to locations in ROM. So if the register value is X, the instruction JSR $ABCD jumps to one subroutine in ROM. But if the register value is incorrect JSR $ABCD jumps to some unintended location, which could be anywhere. In the forum, this is what HHS means when he says the PRG layout gets changed. 3. The incorrect mapping, causes execution in an incorrect area of ROM -- essentially, arbitrary code execution, but in a bad way! Ultimately, the code executed executes RTS (return) when it is already at the base of the stack (S=FF). This overflows the stack to S=01, and the next jump location is read from memory location $0100. 4. $0100 is technically reserved for the stack (which fills from $01FF downward) but the game designers didn't ever anticipate its being used -- so they used $0100 and $0101 to store some configuration variables. At the time the glitch occurs, their values are 80 00. So I think what happens is the return location is read from this area of the stack, read least-significant byte first for $0080, a RAM location. 5. Though execution starts at $0081, so not sure if the stack stores address-1 or if I'm wrong somewhere...:/
Posted: 4/26/2014 1:47 AM
Quote
Fishaman_P
Joined: 10/1/2013
Posts: 98
Location: My Basement
Do I even have to say what I voted?
Posted: 4/26/2014 2:23 AM
Quote
WST
She/Her
Active player (450)
Joined: 10/6/2011
Posts: 1690
Location: RU · ID · AM
This is incredibly incredible, my brain is jumping to voting yes ~
S3&A [Amy amy%] improvement (with Evil_3D & kaan55) — currently in SPZ2 my TAS channel · If I ever come into your dream, I’ll be riding an eggship :)
Posted: 4/26/2014 2:45 AM
Quote
Ford
He/Him
Joined: 3/5/2013
Posts: 183
Location: California
And Bowser's all, "What the crap, we didn't even fight yet!"
Posted: 4/26/2014 3:09 AM
Quote
GeminiSaint
Former player
Joined: 3/31/2005
Posts: 192
Location: Argentina
My only question is, how do you "enter" a pipe... outside said pipe?
Posted: 4/26/2014 4:31 AM
Quote
Zowayix
Joined: 12/29/2007
Posts: 489
Lord Tom wrote:
From what I understand, anyone more knowledgeable please correct: 1. Tile is encountered outside of valid area, CPU attempts to handle 2. Based on incorrect tile data, MMC3 register is configured incorrectly. This register's function is to map 16-bit addresses to locations in ROM. So if the register value is X, the instruction JSR $ABCD jumps to one subroutine in ROM. But if the register value is incorrect JSR $ABCD jumps to some unintended location, which could be anywhere. In the forum, this is what HHS means when he says the PRG layout gets changed. 3. The incorrect mapping, causes execution in an incorrect area of ROM -- essentially, arbitrary code execution, but in a bad way! Ultimately, the code executed executes RTS (return) when it is already at the base of the stack (S=FF). This overflows the stack to S=01, and the next jump location is read from memory location $0100. 4. $0100 is technically reserved for the stack (which fills from $01FF downward) but the game designers didn't ever anticipate its being used -- so they used $0100 and $0101 to store some configuration variables. At the time the glitch occurs, their values are 80 00. So I think what happens is the return location is read from this area of the stack, read least-significant byte first for $0080, a RAM location. 5. Though execution starts at $0081, so not sure if the stack stores address-1 or if I'm wrong somewhere...:/
So is this something similar to the SMW arbitrary code glitch? A non-existent sprite/tile is interacted with, and when the game tries to jump to the (non-existent) subroutine for that sprite/tile, it jumps elsewhere? In that case, is the tile in question here not actually a real note block, but a glitch tile that looks like one?
Posted: 4/26/2014 2:41 PM
Quote
Lord_Tom
He/Him
Expert player (3274)
Joined: 5/25/2007
Posts: 399
Location: New England
NES TAS of 2018 NES TASer of 2016 NES TAS of 2016 Funny TAS of 2016 Glitchy TAS of 2016 NES TAS of 2014 TASer of 2009 NES TASer of 2009
Zowayix wrote:
So is this something similar to the SMW arbitrary code glitch? A non-existent sprite/tile is interacted with, and when the game tries to jump to the (non-existent) subroutine for that sprite/tile, it jumps elsewhere? In that case, is the tile in question here not actually a real note block, but a glitch tile that looks like one?
It is similar to SMW, but not quite the same. In this case, the game is trying to change one valid tile type (0x03, hidden note block) to another valid tile type (0x80, black space) in response to Mario touching the tile. But Mario is out of bounds, so the game didn't read the tiles onscreen from the normal RAM area defining the tiles for the active level, $6000-$794F. That's why the screen layout is bizarre. Similarly, when the game tries to update this tile, the update is written to an invalid location: $9c70. This is what causes the crash, and you can see from the trace log that the next instruction executed after this update is from a totally different area of the ROM. I don't know why writing to $9c70 changes how the game maps addresses (it isn't defined as anything special in the disassembly I have), but you can write to that address manually using the emulator hex editor and it causes a similar crash.
Posted: 4/26/2014 2:51 PM
Quote
Lord_Tom
He/Him
Expert player (3274)
Joined: 5/25/2007
Posts: 399
Location: New England
NES TAS of 2018 NES TASer of 2016 NES TAS of 2016 Funny TAS of 2016 Glitchy TAS of 2016 NES TAS of 2014 TASer of 2009 NES TASer of 2009
GeminiSaint wrote:
My only question is, how do you "enter" a pipe... outside said pipe?
This glitch has been known for a few years. The game does a slightly lazy calculation to make sure Mario is close enough to the center of the pipe to use it. You can trick this calculation if Mario is just getting pushed off the right side of the pipe. You can go down an up pipe because the game just checks that you're on an end-cap tile -- it's not explicit that for an up pipe you're pressing up and a down pipe you're pressing down. In this case, Mario is "standing" on the end-cap for 1 frame by embedding himself in the wall, so the game assumes he's standing in the middle of a down-pipe.
Posted: 4/26/2014 3:09 PM
Quote
Zowayix
Joined: 12/29/2007
Posts: 489
I figured about the "end-cap" thing (SMB:LL does it for the World 5->8 warp after all) but what is this lazy calculation you mentioned? It can't just be "Mario is on the edge of an end-cap tile" because while that works for the usual case, it also would let you enter a pipe by standing normally on its lip, which clearly doesn't work.
Posted: 4/26/2014 7:17 PM
Quote
Mitjitsu
He/Him
Banned User, Experienced player (532)
Joined: 4/24/2006
Posts: 2997
TAS of 2007 N64 TAS of 2007
I've wanted to get a greater understanding on the glitch, but I keep getting a desync on 1-2. Despite having the right rom and the most upto date emulator.
Posted: 4/26/2014 9:19 PM
Quote
minglw
Joined: 4/3/2006
Posts: 269
Very surprising when watching it the first time -- especially when I watched the run before reading the submission text. Entertaining to watch! Voting yes!
Posted: 4/26/2014 9:53 PM
Quote
HHS
Active player (282)
Joined: 10/8/2006
Posts: 356
Writing to any even location in the range 8000-9FFE will program the MMC3 Bank Select register. Bit 6 of this register selects the PRG bank mode. When set, the first 8K is fixed and the third 8K is swappable. When cleared, it is the other way around. SMB3 uses the layout where the first 8K is fixed. By writing 80 to 9C70, the other layout is selected, and eventually execution reaches 0081. (Return addresses are stored as 1 less than the address to return to.) For the pipe glitch to work, you must be standing on the pipe end, and you must be ejected to the right (so that you cross into the next tile) while holding the down button on the same frame. By being ejected, your position no longer corresponds with the tile the game assumes you're standing on.
Posted: 4/27/2014 4:46 PM
Quote
Dooty
Expert player (2583)
Joined: 6/2/2009
Posts: 1182
Location: Teresópolis - Rio de Janeiro - Brazil
Sega TASer of 2013 SNES TASer of 2012 SNES TASer of 2010
minglw wrote:
Very surprising when watching it the first time -- especially when I watched the run before reading the submission text.Voting yes!
Same here! Also, it's a Mario run, what else would one expect other than so much love. :)
I am old enough to know better, but not enough to do it.
1 2 3